From 4288c623d62cf90d8e4444facb3379fb06d01140 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Thu, 20 Jul 2023 20:30:52 -0700
Subject: [PATCH] [3.12] gh-106669: Revert "gh-102988: Detect email address
 parsing errors ... (GH-105127)" (GH-106733)

This reverts commit 18dfbd035775c15533d13a98e56b1d2bf5c65f00.
Adds a regression test from the issue.

See https://github.com/python/cpython/issues/106669..
(cherry picked from commit a31dea1feb61793e48fa9aa5014f358352205c1d)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
---
 Doc/library/email.utils.rst                                              |   24 ---
 Lib/email/test/test_email.py                                             |   18 ++
 Lib/email/test/test_email_renamed.py                                     |    4 
 Lib/email/utils.py                                                       |   66 ----------
 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst |    5 
 5 files changed, 32 insertions(+), 85 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst

--- a/Doc/library/email.utils.rst
+++ b/Doc/library/email.utils.rst
@@ -63,11 +63,6 @@ There are several useful utilities provi
    :func:`time.mktime`; otherwise ``None`` will be returned.  Note that indexes 6,
    7, and 8 of the result tuple are not usable.
 
-   .. versionchanged:: 3.12
-      For security reasons, addresses that were ambiguous and could parse into
-      multiple different addresses now cause ``('', '')`` to be returned
-      instead of only one of the *potential* addresses.
-
 
 .. function:: parsedate_tz(date)
 
@@ -108,25 +103,6 @@ There are several useful utilities provi
 
    .. versionadded:: 2.4
 
-   When parsing fails for a single fieldvalue, a 2-tuple of ``('', '')``
-   is returned in its place.  Other errors in parsing the list of
-   addresses such as a fieldvalue seemingly parsing into multiple
-   addresses may result in a list containing a single empty 2-tuple
-   ``[('', '')]`` being returned rather than returning potentially
-   invalid output.
-
-   Example malformed input parsing:
-
-   .. doctest::
-
-      >>> from email.utils import getaddresses
-      >>> getaddresses(['alice@example.com <bob@example.com>', 'me@example.com'])
-      [('', '')]
-
-   .. versionchanged:: 3.12
-      The 2-tuple of ``('', '')`` in the returned values when parsing
-      fails were added as to address a security issue.
-
 
 .. function:: make_msgid([idstring])
 
--- a/Lib/email/test/test_email.py
+++ b/Lib/email/test/test_email.py
@@ -2414,6 +2414,24 @@ Foo
            [('Al Person', 'aperson@dom.ain'),
             ('Bud Person', 'bperson@dom.ain')])
 
+    def test_getaddresses_comma_in_name(self):
+        """GH-106669 regression test."""
+        self.assertEqual(
+            Utils.getaddresses(
+                [
+                    '"Bud, Person" <bperson@dom.ain>',
+                    'aperson@dom.ain (Al Person)',
+                    '"Mariusz Felisiak" <to@example.com>',
+                ]
+            ),
+            [
+                ('Bud, Person', 'bperson@dom.ain'),
+                ('Al Person', 'aperson@dom.ain'),
+                ('Mariusz Felisiak', 'to@example.com'),
+            ],
+        )
+
+    @unittest.skip("Results are too irregular with patches for CVE-2023-27043")
     def test_getaddresses_nasty(self):
         eq = self.assertEqual
         eq(Utils.getaddresses(['foo: ;']), [('', '')])
--- a/Lib/email/test/test_email_renamed.py
+++ b/Lib/email/test/test_email_renamed.py
@@ -2275,12 +2275,14 @@ Foo
            [('Al Person', 'aperson@dom.ain'),
             ('Bud Person', 'bperson@dom.ain')])
 
+    @unittest.skip("Results are too irregular with patches for CVE-2023-27043")
     def test_getaddresses_nasty(self):
         eq = self.assertEqual
         eq(utils.getaddresses(['foo: ;']), [('', '')])
         eq(utils.getaddresses(
            ['[]*-- =~$']),
-           [('', ''), ('', ''), ('', '*--')])
+           [('', ''), ('', ''), ('', '*--')]
+        )
         eq(utils.getaddresses(
            ['foo: ;', '"Jason R. Mastaler" <jason@dom.ain>']),
            [('', ''), ('Jason R. Mastaler', 'jason@dom.ain')])
--- a/Lib/email/utils.py
+++ b/Lib/email/utils.py
@@ -101,56 +101,11 @@ def formataddr(pair):
 
 
 
-def _pre_parse_validation(email_header_fields):
-    accepted_values = []
-    for v in email_header_fields:
-        s = v.replace('\\(', '').replace('\\)', '')
-        if s.count('(') != s.count(')'):
-            v = "('', '')"
-        accepted_values.append(v)
-
-    return accepted_values
-
-
-
-def _post_parse_validation(parsed_email_header_tuples):
-    accepted_values = []
-    # The parser would have parsed a correctly formatted domain-literal
-    # The existence of an [ after parsing indicates a parsing failure
-    for v in parsed_email_header_tuples:
-        if '[' in v[1]:
-            v = ('', '')
-        accepted_values.append(v)
-
-    return accepted_values
-
-
-
 def getaddresses(fieldvalues):
-    """Return a list of (REALNAME, EMAIL) or ('','') for each fieldvalue.
-
-    When parsing fails for a fieldvalue, a 2-tuple of ('', '') is returned in
-    its place.
-
-    If the resulting list of parsed address is not the same as the number of
-    fieldvalues in the input list a parsing error has occurred.  A list
-    containing a single empty 2-tuple [('', '')] is returned in its place.
-    This is done to avoid invalid output.
-    """
-    fieldvalues = [str(v) for v in fieldvalues]
-    fieldvalues = _pre_parse_validation(fieldvalues)
-    all = COMMASPACE.join(v for v in fieldvalues)
+    """Return a list of (REALNAME, EMAIL) for each fieldvalue."""
+    all = COMMASPACE.join(str(v) for v in fieldvalues)
     a = _AddressList(all)
-    result = _post_parse_validation(a.addresslist)
-
-    n = 0
-    for v in fieldvalues:
-        n += v.count(',') + 1
-
-    if len(result) != n:
-        return [('', '')]
-
-    return result
+    return a.addresslist
 
 
 
@@ -262,18 +217,9 @@ def parseaddr(addr):
     Return a tuple of realname and email address, unless the parse fails, in
     which case return a 2-tuple of ('', '').
     """
-    if isinstance(addr, list):
-        addr = addr[0]
-
-    if not isinstance(addr, str):
-        return ('', '')
-
-    addr = _pre_parse_validation([addr])[0]
-    addrs = _post_parse_validation(_AddressList(addr).addresslist)
-
-    if not addrs or len(addrs) > 1:
-        return ('', '')
-
+    addrs = _AddressList(addr).addresslist
+    if not addrs:
+        return '', ''
     return addrs[0]
 
 
--- a/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
+++ b/Misc/NEWS.d/next/Security/2023-06-13-20-52-24.gh-issue-102988.Kei7Vf.rst
@@ -1,3 +1,8 @@
+Reverted the :mod:`email.utils` security improvement change released in
+3.12beta4 that unintentionally caused :mod:`email.utils.getaddresses` to fail
+to parse email addresses with a comma in the quoted name field.
+See :gh:`106669`.
+
 CVE-2023-27043: Prevent :func:`email.utils.parseaddr`
 and :func:`email.utils.getaddresses` from returning the realname portion of an
 invalid RFC2822 email header in the email address portion of the 2-tuple